Re: kysmoops (was keysmoops)
[EMAIL PROTECTED] wrote: Except that I didn't create /var/log/ksymoops (I wouldn't have known how to or why to; I had never heard of ksymoops before I noticed the existence of the log files); it must have been created automatically in the upgrade process from slink to frozen. But that seems wrong, given how hard and time-consuming it turned out to be to find out what the files were and what they are for; in the meantime, the directory just kept growing and growing with eight new files added each minute or so: The directory is part of the modutils package, so it is created automatically. The weird thing is that you keep getting new files added every minute. This implies modprobe or rmmod is running every minute. Compare to my system, where I have the directory, and it gets just 6 files in it a day. I suggest you look at /var/log/ksymoops/*.modules, and compare each successive pair of files with diff. [EMAIL PROTECTED]:/var/log/ksymoopsdiff 2527000455.modules 2527010002.modules 0a1 serial 18548 0 (autoclean) (unused) [EMAIL PROTECTED]:/var/log/ksymoopsdiff 2527010002.modules 2527011002.modules 1d0 serial 18548 0 (autoclean) (unused) My serial module is removed/installed a few times each day, because I have cron jobs to turn my lights on and off, and it uses a serial interface to control them. You should be able to tell what module(s) are being removed and installed every minute. Then try to track down what is making the modules get loaded. It's probably some program trying to access them. For example if you have a mixer running, and your sound card is not initializing, I have noticed some mixer programs will try to access the sound device several times a minute, causing the kernel to try to load the sound drivers repeatedly. -- see shy jo
Re: kysmoops (was keysmoops)
| Given that the directory isn't being rotated, is contantly growing, | neither keysmoop nor keysmoops returns any hits on Google, and | that smoop looks suspiciously like snoop.. Forgive me; I mis-typed. The directory is actually `ksymoops' and it's obviously not the result of a security breach. According to kernelnotes.org, ksymoops is a program to: Read a kernel Oops file and make the best stab at converting the code to instructions and mapping stack values to kernel symbols. At www.us.kernel.org we are told: ksymoops - decode Linux kernel Oops messages. Also handles spinlock and showPc diagnostics. When you poke around a bit more (in the man page for insmod for example), you discover that to overcome certain problems with debugging kernel oops: if directory /var/log/ksy- moops exists then insmod and rmmod will automatically copy /proc/ksyms and /proc/modules to /var/log/ksymoops with a prefix of `date +%Y%m%d%H%M%S`. The system administrator can tell ksymoops which snapshot files to use when debug- ging an Oops. There is no switch to disable this auto- matic copy, if you do not want it to occur, do not create /var/log/ksymoops. If that directory exists, it should be owned by root and be mode 644 or 600 and you should run this script every day or so. The script below is installed as insmod_clean_ksymoops. Which all makes a kind of sense. Except that I didn't create /var/log/ksymoops (I wouldn't have known how to or why to; I had never heard of ksymoops before I noticed the existence of the log files); it must have been created automatically in the upgrade process from slink to frozen. But that seems wrong, given how hard and time-consuming it turned out to be to find out what the files were and what they are for; in the meantime, the directory just kept growing and growing with eight new files added each minute or so: . . . . . . . . . -rw-r--r--1 root root 1842 May 24 21:58 2524215811.modules -rw-r--r--1 root root70151 May 24 21:58 2524215812.ksyms -rw-r--r--1 root root 2671 May 24 21:58 2524215812.modules -rw-r--r--1 root root74557 May 24 21:58 2524215813.ksyms -rw-r--r--1 root root 3285 May 24 21:58 2524215813.modules -rw-r--r--1 root root75002 May 24 21:58 2524215814.ksyms -rw-r--r--1 root root 3369 May 24 21:58 2524215814.modules -rw-r--r--1 root root72660 May 24 21:59 2524215956.ksyms -rw-r--r--1 root root 2681 May 24 21:59 2524215956.modules -rw-r--r--1 root root68075 May 24 21:59 2524215957.ksyms -rw-r--r--1 root root 2129 May 24 21:59 2524215957.modules -rw-r--r--1 root root55266 May 24 21:59 2524215958.ksyms -rw-r--r--1 root root 1501 May 24 21:59 2524215958.modules -rw-r--r--1 root root39156 May 24 22:00 2524215959.ksyms -rw-r--r--1 root root 650 May 24 22:00 2524215959.modules -rw-r--r--1 root root22109 May 24 22:00 252422.ksyms -rw-r--r--1 root root 108 May 24 22:00 252422.modules -rw-r--r--1 root root35488 May 24 22:00 2524220014.ksyms -rw-r--r--1 root root 408 May 24 22:00 2524220014.modules Oh well---another Linux learning experience, I suppose. Jim
Re: kysmoops (was keysmoops)
[EMAIL PROTECTED] said: Forgive me; I mis-typed. The directory is actually `ksymoops' and it's obviously not the result of a security breach. Oh well---another Linux learning experience, I suppose. For both of us... Glad to hear that your system's secure! -- Two words: Windows survives. - Craig Mundie, Microsoft senior strategist So does syphillis. Good thing we have penicillin. - Matthew Alton Geek Code 3.1: GCS d- s+: a- C++ UL++$ P L++ E- W--(++) N+ o+ !K w---$ O M- !V PS+ PE Y+ PGP t 5++ X+ R++ tv- b++ DI D G e* h+ r++ y+
Re: kysmoops
[EMAIL PROTECTED] wrote: | Given that the directory isn't being rotated, is contantly growing, | neither keysmoop nor keysmoops returns any hits on Google, and | that smoop looks suspiciously like snoop.. Forgive me; I mis-typed. The directory is actually `ksymoops' and it's obviously not the result of a security breach. According to kernelnotes.org, ksymoops is a program to: Read a kernel Oops file and make the best stab at converting the code to instructions and mapping stack values to kernel symbols. ... Which all makes a kind of sense. Except that I didn't create /var/log/ksymoops (I wouldn't have known how to or why to; I had never heard of ksymoops before I noticed the existence of the log files); it must have been created automatically in the upgrade process from slink to frozen. One of the the required or standard or important packages in frozen (potato) recommends the ksymoops package. I avoided it for a long time, not feeling need for it, but since I like to = (hold) installed packages, and was even more annoyed by the suggestion coming up, I went ahead and installed it. You may have selected it inadvertently with a list of depends/recommends.
Re: kysmoops
| One of the the required or standard or important packages in frozen | (potato) recommends the ksymoops package. I avoided it for a long | time, not feeling need for it, but since I like to = (hold) | installed packages, and was even more annoyed by the suggestion | coming up, I went ahead and installed it. | | You may have selected it inadvertently with a list of | depends/recommends. x Yes, modutils isn't it? The weird thing is that the ksymoops package is not installed on my system and never, as far as I can tell, has been---/var/lib/dpkg/status, all the old versions of /var/lib/dpkg/status, dpkg -s, dpkg -l, and /usr/share/doc all agree about that. I ran `script' while I was doing the upgrade to frozen and so I have a record of the entire output to console; there's no mention of the package in that record either. Ah well Thank you very much for your help (all of you), Jim